5.5 - What alternatives are available?

[Brcrwilliams]

5.5 states:

The app doesn't rely on a single insecure communication channel (email or SMS) for critical operations, such as enrollments and account recovery.

Going by the account recovery example, my question is how would this best be implemented? Security questions have always been a weak form of account recovery in that they may be guessed or found using OSINT. It is my opinion that sending an email with a password reset link is the most secure form of password recovery, but this section of MASVS is basically saying that doing this is not allowed. What is the better alternative?

[sushi2k]

Hi @Brcrwilliams,

the important part of this requirement is about the word "single". Meaning if you only use SMS or email you should at least have another factor in your flow or combine it. So if you have a password reset link via mail you could ask additionally the user for an OTP during the password reset flow (e.g. Google Authenticator).

One alternative solution I have seen in some Apps is using Firebase Cloud Messaging on Android instead of relying on mail/SMS. Then the communication would be at least encrypted. Of course, this wouldn't protect you from malware running on your mobile, but would reduce the attack surface by not disclosing the information in transit.

[Brcrwilliams]

Thank you for the clarification @sushi2k. I'm not sure about the practicality of doing something like this, as I don't think I've ever seen an application implement a second factor into their account recovery process, but I can understand the reasoning behind it.